diff --git a/README.md b/README.md
index b206777..3ebaa0f 100644
--- a/README.md
+++ b/README.md
@@ -226,7 +226,7 @@ Available securities for vmess:
   none, aes-128-gcm, chacha20-poly1305
 
 TLS client scheme:
-  tls://host:port[?serverName=SERVERNAME][&skipVerify=true]
+  tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&alpn=proto1][&alpn=proto2]
 
 Proxy over tls client:
   tls://host:port[?skipVerify=true][&serverName=SERVERNAME],scheme://
@@ -235,7 +235,7 @@ Proxy over tls client:
   tls://host:port[?skipVerify=true],vmess://[security:]uuid@?alterID=num
 
 TLS server scheme:
-  tls://host:port?cert=PATH&key=PATH
+  tls://host:port?cert=PATH&key=PATH[&alpn=proto1][&alpn=proto2]
 
 Proxy over tls server:
   tls://host:port?cert=PATH&key=PATH,scheme://
diff --git a/config.go b/config.go
index 038fae9..041a11a 100644
--- a/config.go
+++ b/config.go
@@ -204,7 +204,7 @@ func usage() {
 	fmt.Fprintf(w, "\n")
 
 	fmt.Fprintf(w, "TLS client scheme:\n")
-	fmt.Fprintf(w, "  tls://host:port[?serverName=SERVERNAME][&skipVerify=true]\n")
+	fmt.Fprintf(w, "  tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&alpn=proto1][&alpn=proto2]\n")
 	fmt.Fprintf(w, "\n")
 
 	fmt.Fprintf(w, "Proxy over tls client:\n")
@@ -215,7 +215,7 @@ func usage() {
 	fmt.Fprintf(w, "\n")
 
 	fmt.Fprintf(w, "TLS server scheme:\n")
-	fmt.Fprintf(w, "  tls://host:port?cert=PATH&key=PATH\n")
+	fmt.Fprintf(w, "  tls://host:port?cert=PATH&key=PATH[&alpn=proto1][&alpn=proto2]\n")
 	fmt.Fprintf(w, "\n")
 
 	fmt.Fprintf(w, "Proxy over tls server:\n")
diff --git a/go.mod b/go.mod
index 1378aec..40ca0c4 100644
--- a/go.mod
+++ b/go.mod
@@ -7,12 +7,12 @@ require (
 	github.com/dgryski/go-camellia v0.0.0-20191119043421-69a8a13fb23d
 	github.com/dgryski/go-idea v0.0.0-20170306091226-d2fb45a411fb
 	github.com/dgryski/go-rc2 v0.0.0-20150621095337-8a9021637152
-	github.com/insomniacslk/dhcp v0.0.0-20210812084645-decc701b3665
+	github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e
 	github.com/nadoo/conflag v0.2.3
 	github.com/nadoo/ipset v0.3.0
 	github.com/xtaci/kcp-go/v5 v5.6.1
-	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
-	golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e
+	golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e
+	golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912
 )
 
 require (
@@ -26,7 +26,7 @@ require (
 	github.com/templexxx/xorsimd v0.4.1 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 // indirect
-	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect
+	golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d // indirect
 )
 
 // Replace dependency modules with local developing copy
diff --git a/go.sum b/go.sum
index e8c037e..75f43af 100644
--- a/go.sum
+++ b/go.sum
@@ -39,8 +39,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
-github.com/insomniacslk/dhcp v0.0.0-20210812084645-decc701b3665 h1:skMK5bGMStbk2T6am4JEOtm4KWiRB6/bLSeUHPzf88Y=
-github.com/insomniacslk/dhcp v0.0.0-20210812084645-decc701b3665/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e h1:ttrVy1tKtnMySMy7pbVtMQSweHyLLQuLCcRj4lbGCBQ=
+github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
@@ -104,8 +104,8 @@ golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e h1:VvfwVmMH40bpMeizC9/K7ipM5Qjucuu16RWfneFPyhQ=
+golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -129,8 +129,8 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d h1:20cMwl2fHAzkJMEA+8J4JgqBQcQGzbisXo31MIeenXI=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d h1:LO7XpTYMwTqxjLcGWPijK3vRXg1aWdlNOVOHRq45d7c=
+golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -156,8 +156,8 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e h1:WUoyKPm6nCo1BnNUvPGnFG3T5DUVem42yDJZZ4CNxMA=
-golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912 h1:uCLL3g5wH2xjxVREVuAbP9JM5PPKjRbXKRa6IBjkzmU=
+golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/proxy/tls/tls.go b/proxy/tls/tls.go
index 471d2fc..9d87b3d 100644
--- a/proxy/tls/tls.go
+++ b/proxy/tls/tls.go
@@ -25,6 +25,8 @@ type TLS struct {
 	certFile string
 	keyFile  string
 
+	alpn []string
+
 	server proxy.Server
 }
 
@@ -50,6 +52,7 @@ func NewTLS(s string, d proxy.Dialer, p proxy.Proxy) (*TLS, error) {
 		skipVerify: query.Get("skipVerify") == "true",
 		certFile:   query.Get("cert"),
 		keyFile:    query.Get("key"),
+		alpn:       query["alpn"],
 	}
 
 	if _, port, _ := net.SplitHostPort(t.addr); port == "" {
@@ -65,18 +68,19 @@ func NewTLS(s string, d proxy.Dialer, p proxy.Proxy) (*TLS, error) {
 
 // NewTLSDialer returns a tls dialer.
 func NewTLSDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
-	p, err := NewTLS(s, d, nil)
+	t, err := NewTLS(s, d, nil)
 	if err != nil {
 		return nil, err
 	}
 
-	p.config = &stdtls.Config{
-		ServerName:         p.serverName,
-		InsecureSkipVerify: p.skipVerify,
+	t.config = &stdtls.Config{
+		ServerName:         t.serverName,
+		InsecureSkipVerify: t.skipVerify,
+		NextProtos:         t.alpn,
 		MinVersion:         stdtls.VersionTLS12,
 	}
 
-	return p, err
+	return t, err
 }
 
 // NewTLSServer returns a tls transport layer before the real server.
@@ -99,6 +103,7 @@ func NewTLSServer(s string, p proxy.Proxy) (proxy.Server, error) {
 
 	t.config = &stdtls.Config{
 		Certificates: []stdtls.Certificate{cert},
+		NextProtos:   t.alpn,
 		MinVersion:   stdtls.VersionTLS12,
 	}
 
diff --git a/proxy/trojan/client.go b/proxy/trojan/client.go
index 62fd597..28c6183 100644
--- a/proxy/trojan/client.go
+++ b/proxy/trojan/client.go
@@ -31,7 +31,6 @@ func NewTrojanDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
 	t.tlsConfig = &tls.Config{
 		ServerName:         t.serverName,
 		InsecureSkipVerify: t.skipVerify,
-		NextProtos:         []string{"http/1.1"},
 		MinVersion:         tls.VersionTLS12,
 	}
 
diff --git a/proxy/ws/client.go b/proxy/ws/client.go
index 3bca9b4..9fed0d9 100644
--- a/proxy/ws/client.go
+++ b/proxy/ws/client.go
@@ -31,7 +31,6 @@ func NewWSSDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
 	w.tlsConfig = &tls.Config{
 		ServerName:         w.serverName,
 		InsecureSkipVerify: w.skipVerify,
-		NextProtos:         []string{"http/1.1"},
 		MinVersion:         tls.VersionTLS12,
 	}